[colug-432] password survey

Rob Funk rfunk at funknet.net
Sat May 24 11:25:06 EDT 2014 

On Friday, May 23, 2014 07:57:51 PM Bill Baker wrote:
> Thanks for the articles.  I glanced through the second link, the one you
> said references XKCD, and the password examples they gave that their
> crackers were able to decipher were terrible.  If they weren't too
> short, the words they used were related to each other, not random
> dictionary words.
...
>  I still
> maintain that the password in the joke (if it was not already a
> well-known joke) would be practically Fort Knox secure.

You're right for the old tools. But you're missing the general point about 
the the modern tools, which (combined with modern hardware) make it easy 
and fast to guess by using combinations of random words (along with 
mutations of them).

Historically we've been able to rely on counting characters for security, 
while making things more memorable by using a few longer semantic clumps. 
But now the software understands those semantic clumps, reducing the 
entropy in a long memorable password. So the same features that make a long 
password memorable make it easier for the wordlist-equipped software to 
guess.

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
"The other variable was the account holders' decision to use memorable 
words. The characteristics that made "momof3g8kids" and "Oscar+emmy2" easy 
to remember are precisely the things that allowed them to be cracked. Their 
basic components—"mom," "kids," "oscar," "emmy," and numbers—are a core 
part of even basic password-cracking lists. The increasing power of 
hardware and specialized software makes it trivial for crackers to combine 
these ingredients in literally billions of slightly different permutations"

The use of wordlists means that what we used to think of as an 11-character 
password turns into a 4-5 element password, and a 52-character password 
(which is within the limits of the software described) turns into a 9-
element password. Still a much-better-than-average password (and not 
deserving of ridicule), but also still crackable with today's tools.


> So what do we do?

Depends on who "we" are. For users, password managers seem to be the 
current best practice, generating and saving meaningless random long 
passwords.
http://arstechnica.com/security/2013/07/how-elite-security-ninjas-choose-and-safeguard-their-passwords/
And certainly sysadmins and software developers need to make sure passwords 
are salted and hashed using modern slow algorithms.

But ultimately we need to get away from relying solely on passwords.

For designing new authentication protocols, public key authentication is 
secure but has problems with getting non-techies up to speed. And it still 
doesn't help much with existing protocols that weren't designed with 
public-key authentication in mind. Of course, neither end-users nor 
sysadmins have the ability to change the standard protocols or other 
people's services to get away from passwords.

-- 
Rob Funk <rfunk at funknet.net>
http://funknet.net/rfunk

More information about the colug-432 mailing list